more work on sessions and cookies, as some anomalies appeared in caldav and firefox which suggested deeper issues

Zotlabs/Web/Session.php

@@ -13,8 +13,8 @@ namespace Zotlabs\Web;
 
 class Session {
 
-	private static $handler = null;
-	private static $session_started = false;
+	static private $handler = null;
+	static private $session_started = false;
 
 	public function init() {
 
@@ -29,7 +29,7 @@ class Session {
 		 */
 
 		$handler = new \Zotlabs\Web\SessionHandler();
-		self::$handler = $handler;
+		$this->handler = $handler;
 
 		$x = session_set_save_handler($handler,false);
 		if(! $x)
@@ -38,11 +38,12 @@ class Session {
 		// Force cookies to be secure (https only) if this site is SSL enabled. 
 		// Must be done before session_start().
 
+
 		$arr = session_get_cookie_params();
 		session_set_cookie_params(
 			((isset($arr['lifetime']))   ? $arr['lifetime'] : 0),
 			((isset($arr['path']))      ? $arr['path']     : '/'),
-			((isset($arr['domain']))    ? $arr['domain']   : App::get_hostname()),
+			(($arr['domain'])    ? $arr['domain']   : \App::get_hostname()),
 			((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
 			((isset($arr['httponly']))  ? $arr['httponly'] : true)
 		);
@@ -53,7 +54,7 @@ class Session {
 
 	public function start() {
 		session_start();
-		self::$session_started = true;
+		$this->session_started = true;
 	}
 
 	/**
@@ -62,8 +63,8 @@ class Session {
 	 * @return void
 	 */
 
-	static public function nuke() {
-		self::new_cookie(0); // 0 means delete on browser exit
+	public function nuke() {
+		$this->new_cookie(0); // 0 means delete on browser exit
 		if($_SESSION && count($_SESSION)) {
 			foreach($_SESSION as $k => $v) {
 				unset($_SESSION[$k]);
@@ -77,21 +78,23 @@ class Session {
 
 		$old_sid = session_id();
 
-		if(self::$handler && self::$session_started) {
+		$arr = session_get_cookie_params();
+
+		if($this->handler && $this->session_started) {
 			session_regenerate_id(true);
 
 			// force SessionHandler record creation with the new session_id
 			// which occurs as a side effect of read()
 
-			self::$handler->read(session_id());
+			$this->handler->read(session_id());
 		}
 		else 
 			logger('no session handler');
 
 		if (x($_COOKIE, 'jsdisabled')) {
-			setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime);
+			setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
 		}
-		setcookie(session_name(),session_id(),$newxtime);
+		setcookie(session_name(),session_id(),$newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
 
 		$arr = array('expire' => $xtime);
 		call_hooks('new_cookie', $arr);
@@ -100,12 +103,14 @@ class Session {
 
 	public function extend_cookie() {
 
+		$arr = session_get_cookie_params();
+
 		// if there's a long-term cookie, extend it
 
 		$xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 );
 
 		if($xtime)
-			setcookie(session_name(),session_id(),(time() + $xtime));
+			setcookie(session_name(),session_id(),(time() + $xtime), '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
 		$arr = array('expire' => $xtime);
 		call_hooks('extend_cookie', $arr);
 
@@ -152,7 +157,7 @@ class Session {
 					// check any difference at all
 					logger('Session address changed. Paranoid setting in effect, blocking session. '
 					. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
-					self::nuke();
+					$this->nuke();
 					goaway(z_root());
 					break;
 			}

boot.php

@@ -700,6 +700,7 @@ class App {
 	private static $perms      = null;            // observer permissions
 	private static $widgets    = array();         // widgets for this page
 
+	public static  $session    = null;
 	public static  $groups;
 	public static  $language;
 	public static  $langsave;

include/Contact.php

@@ -389,7 +389,7 @@ function channel_remove($channel_id, $local = true, $unset_session=false) {
 	proc_run('php','include/directory.php',$channel_id);
 
 	if($channel_id == local_channel() && $unset_session) {
-		\Zotlabs\Web\Session::nuke();
+		App::$session->nuke();
 		goaway(z_root());
 	}
 

include/api.php

@@ -486,7 +486,7 @@ require_once('include/api_auth.php');
 
 	function api_account_logout(&$a, $type){
 		require_once('include/auth.php');
-		\Zotlabs\Web\Session::nuke();
+		App::$session->nuke();
 		return api_apply_template("user", $type, array('$user' => null));
 
 	}

include/auth.php

@@ -101,7 +101,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
 		// process logout request
 		$args = array('channel_id' => local_channel());
 		call_hooks('logging_out', $args);
-		\Zotlabs\Web\Session::nuke();
+		App::$session->nuke();
 		info( t('Logged out.') . EOL);
 		goaway(z_root());
 	}
@@ -117,7 +117,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
 				intval(ACCOUNT_ROLE_ADMIN)
 			);
 			if($x) {
-				\Zotlabs\Web\Session::new_cookie(60 * 60 * 24); // one day
+				App::$session->new_cookie(60 * 60 * 24); // one day
 				$_SESSION['last_login_date'] = datetime_convert();
 				unset($_SESSION['visitor_id']); // no longer a visitor
 				authenticate_success($x[0], true, true);
@@ -141,7 +141,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
 
 	if(x($_SESSION, 'uid') || x($_SESSION, 'account_id')) {
 
-		Zotlabs\Web\Session::return_check();
+		App::$session->return_check();
 
 		$r = q("select * from account where account_id = %d limit 1",
 			intval($_SESSION['account_id'])
@@ -155,14 +155,14 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
 			}
 			if(strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) {
 				$_SESSION['last_login_date'] = datetime_convert();
-				Zotlabs\Web\Session::extend_cookie();
+				App::$session->extend_cookie();
 				$login_refresh = true;
 			}
 			authenticate_success($r[0], false, false, false, $login_refresh);
 		}
 		else {
 			$_SESSION['account_id'] = 0;
-			\Zotlabs\Web\Session::nuke();
+			App::$session->nuke();
 			goaway(z_root());
 		}
 	} // end logged in user returning
@@ -170,7 +170,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
 else {
 
 	if(isset($_SESSION)) {
-		\Zotlabs\Web\Session::nuke();
+		App::$session->nuke();
 	}
 
 	// handle a fresh login request
@@ -242,11 +242,11 @@ else {
 
 		if($_POST['remember_me']) {
 			$_SESSION['remember_me'] = 1;
-			\Zotlabs\Web\Session::new_cookie(31449600); // one year
+			App::$session->new_cookie(31449600); // one year
 		}
 		else {
 			$_SESSION['remember_me'] = 0;
-			\Zotlabs\Web\Session::new_cookie(0); // 0 means delete on browser exit
+			App::$session->new_cookie(0); // 0 means delete on browser exit
 		}
 
 		// if we haven't failed up this point, log them in.

include/cli_startup.php

@@ -30,7 +30,8 @@ function cli_startup() {
     	unset($db_host, $db_port, $db_user, $db_pass, $db_data, $db_type);
   	};
 
-	\Zotlabs\Web\Session::init();
+	App::$session = new Zotlabs\Web\Session();
+	App::$session->init();
 
 	load_config('system');
 

index.php

@@ -62,7 +62,8 @@ if(! App::$install) {
 	load_config('system');
 	load_config('feature');
 
-	\Zotlabs\Web\Session::init();
+	App::$session = new \Zotlabs\Web\Session();
+	App::$session->init();
 	load_hooks();
 	call_hooks('init_1');
 
@@ -84,7 +85,13 @@ if(! App::$install) {
  *
  */
 
-\Zotlabs\Web\Session::start();
+  if(App::$session) {
+	App::$session->start();
+  }
+  else {
+	session_start();
+	register_shutdown_function('session_write_close');
+  }
 
 /**
  * Language was set earlier, but we can over-ride it in the session.